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ABSTRACT 

This essay presents the results of a study which 
surveyed the various aspects of system security hardware, 
software, and procedural technigues in use in current and 
proposed automated systems. Its impetus is from the ccncern 
for security control that has been generated by the 
increasing number of tine-sharing and Rie =O Wie erie ale 1G 
systems. The intention is to present the designers, 
managers, programmers, system implementers, and operational 
personnel with a consolidated source of data concerning 
security techniques and with a tool to evaluate the data and 
select the techniques applicable to their respective 


security requirements. 
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I. INTRODUCTION 


The basic security Trequirement in any system is to 
prevent unauthorized access or change of data while allowing 
authorized use necessary to accomplish the system's mission. 
Manual systems require the protection of data only. 
Automated systems introduce the added problem of protecting 
the process, both programs and hardware, that are used to 
store, access and change the data. This implies the 
necessity of adeguate safeguards built into management, and 
hardware/software aspects of the system. Thus a decision 
15 57 - made as to what ís needed in the way of security. 
The processing and storing of sensitive information and 
preventing it from falling into the wrong hands isa 
technological problem requiring a comprehensive examination 
of both the type of information and the possible/rprcbable 
threats that a data bank w1ll be required to handle. 

The objective of the current effort is to (1) review 
Current and completed studies of the security and access 
limitation problem for automated systems; (2) analyze the 
data collected considering the differences in techniques as 
required by systems and users; (3) discuss techniques for 
data base security and access control applicable to a given 


systen. 
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A close examination of security requirements indicates 
that they are dependent on the specific type of threat posed 
to the system. There are three general classes of threats: 
unintentional, deliberate passive, and deliberate active. 

Unintentional threats are those that arise from hardware 
and software failures and user errors which allow 
unauthorized but inadvertant access to files or prograns. 

Deliberate passive threats are caused by electromagnetic 
radiation from the computer hardware and communications 
equipment. Passive nethods include wire-tapping and 
monitoring of electromaqnetic emanations. 

Deliberate active threats are from attempts to enter the 
system so as to obtain data from the files or to interfere 
with data files or the system. Examples of this type of 
threat are (1) using legitimate access to ask or obtain 
unauthorized access (browsing), (2) masquerading as a 
legitimate user, (3) using access to the system as support 
personnel (systens programmers, Operator, hardware 
maintenance, management) to obtain data or create trap doors 
into the systen, (4) tapping into remote terminals to 
receive "piggy back" entry with an authorized user, (5) 
between lines entry, and (6) cancellation of user's sign off 
Signals to continue operation. 

These threats are nearly the same for all systems, 
differing primarily in the degree which system design 
features allow exploitation. This potential for 
exploitation is created at each point where a user interacts 
with the system. Since the security requirements depend on 
the threat of exploitation and the threat of exploitation in 
turn depends on the particular system access point, the key 
to specifying the security requirements for a system lies in 


an examination of the systems accessibility. 





III. SECURITY REQUIREMENTS COMMON TO ALL SYSTEMS 
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The overall safeguarding of information in a computer 
system, regardless of configuration, 15 achieved by a 
comkinaticn cf protection features aimed at the different 
areas of leakage points. These areas are discussed and an 


overview of the vulnerability points are depicted in fig 1. 


S HATNTENANCE AND SUPPORT ACCESS 


All systems have the requirement to allow access for 
maintenance of the system software and hardware. This 
"support access! must be provided for the system 
progranners, maintenance personnel, computer operators, and 
management personnel responsible for the system operation. 
rt represents a potential means of deliberate active 
penetration and has been addressed in the literature on 
non-military systems as the area of most ccncern. 
Non-military systems lack the procedural security 
regulations established by law for military systems. (AMR 
71] 

The support access characteristics were similar in all 
systems. Access at the assembly/procedure oriented language 
level is needed. to debug programs, maintain hardware, and 
establish system operating conditions. In all government 
systens, this support activity was conducted only at lccal 
terminals within the secure computer area, where common 
procedural technigues were relied on to limit access to 
Cleared perscnnel. 

The accessibility afforded to support personnel in 
commercial systems has received more attention in terms of 
the development or sophisticated automated security 
techniques. The primary reason is that military systens 
have developed strong procedural techniques (clearance 


procedures for personnel, security regulations with fornal 
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legal penalties for infractions) that are not available for 
use in commercial Systens. 

Security requirements determined by the need for support 
access include (1) the ability to isolate access to rrcgramns 
and data to only those authorized to maintain the particular 
program/file, (2) the ability to effectively restrict 
maintenance personnel to the maintenance of specific 
software routines, (3) the need for procedures to insure 
that programs are completely debugged, (4) the need to audit 
files for unauthorized changes, (5) the ability to determine 
if equipment is operating properly before it is placed in 
the system, (6) the ability to detect and control changes to 
systems routines, (7) the ability to bound dumps of memory 
and peripheral storage, (8) the ability to determine that a 
program only performs the function for which it was 
designed, and (9) the ability to restrict access by internal 


control tables. 


B. FAILURE ACCESS 


The threat of compromise from the release of data or 
programs due to hardware or software failure is common to 
all systems and represents a potential means of 
unintentional penetration. Such failures can involve the 
coupling of information from one user with that of another 
user, rendering the files or programs unusable. They could 
result in defeat or circunvention of security measures, or 
üllntentional change in security status of users files or 
terminals. Accidental disclosures may also occur by 
improper actions of machine operating or maintenance 
personnel without deliberate intent. 

Security requirements determined by the need for failure 
control include the following: (1) the ability to trap to 
software error routines when parity errors are encountered, 
(2) the ability to prevent circumvention by software "bugs" 


of the partitioning technique that isolates data and 
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programs from unauthorized access, (3) the need to check out 
and certify program changes and equipment repairs to ensure 
that they are operating correctly, (4) the need to maintain 
the protection mechanism when a system error is encountered, 
(5) the need to recover from failure without revealing 
protected data and system tables, (6) the need to protect 
back-up files, and to certify that the appropriate kackup 


file is loaded. 


ieee DELIBERATE PASSIVE ACCESS 


Electromagnetic radiation, wiretapping, and "bugs" can 
be used on all systems if proper security techniques are not 
implemented. Electromagnetic radiations from computer 
equipment pcver lines and communications lines can be 
detected and decoded. Wiretapping into communications lines 
can be used to send and receive data. The planting of bugs 
or recording devices is possible if proper area security 
precautions are not used. Techniques that are appiicable to 
this category of requirements are cryptographic data 
transformations and/or shielded lines for communication 
links, and maintenance of a properly secured area. 

Security requirements determined by the need to prevent 
deliberate passive access include conventional red/black 
(classified lines & unclassified lines) isolation 
requirements as well as (1) the ability to encode/decode 
Fransnitted data so that it cannot be deciphered. (2) the 
need to certify that hardware either can not be, or has not 
been tampered with and, (3) the ability to make stored data 


unintelligible to direct dumping. 
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IV. 5101007000 РОИ ЫЛЕНТ5 РАБКТТСОЛҺЛАН TO A GIVEN SYSTEM 


Systems differ in their interface vith the systen user. 
The user of the system exercises the system for its 
functional purpose and is not concerned with its design, 
implementation, or maintenance. User accessibility to a 
system is defined by the type of system interface, the 
language capability offered, and the clearance of data and 
users provided. Different combinations of these imply 
increasingly sophisticated levels of access rights and hence 
different possibilities of penetration attempts. User 
access capability that directly relate to security 
requirements are language capability, terminal locaticn and 


usage and, user and data clearance levels. 


A. USER LANGUAGE CAPABILITY 


The user interfaces with the automated system in either 
an off-line or an on-line mode. In an off-line mode he 
submits requests for data services to support personnel and 
receives as his output printed reports. This mode of 
operation is typical of closed shop batch systems. Their 
security requirements, in so far as they concern the user, 
differ from manual systems only by the addition of a 
reguirement for security within the secure area cf the 
Semputer facility. 

In the on-line mode, the user is provided a capability 
to request data services directly fron the computer 
equipment by means of some input (generally remote) device. 
His form of interaction with the computer can vary from 
rigid requests Or predetermined fixed transaction 
input/output, to use of a free-form query language, and 
entry of actual computer programs in procedure oriented or 
assembly language. Increased security requirements are 


dictated as Fl el eu Capability to access data 
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Tfucreases. 

Fixed transaction input/output allows the system 
designer to pređetermine what will be the specific input and 
output allowed for a given user at a given terminal. The 
ability to enter and execute POL or assembly language 
programs places the user at almost the same capability as 
support perscnnel and could allow circumvention of security 
techniques implemented for fixed format or free form query 
capabilities. A higher level of security requirements is 
necessary to provide protection against this increased 


language capability. See figure 2. 


B. TERMINAL LOCATION AND USAGE 


The ability of a user to access or change data fron 
remote terminals suggests penetration methods not possible 
in a system with only local terminals within a secure area. 
The communications lines must be protected and systems or 
user errors could allow release of data outside the secure 
area. Additionally, the vulnerability of a remote terminal 
secure area, especially in a tactical military system, is 
greater. 

System security requirements are also influenced by the 
use of the terminals; that is, whether there is only one 
class of need-to-know at a given terminal or whether there 
are multiple classes of need-to-know at a given terminal. 
Multiple need-to-know at a given terminal requires that the 
system be able to identify the different user classes at a 
given terminal and provide protection against "browsing"! and 


"nasquerading". 


See DATA CLASSIFICATION 


The security classification of data is an expression of 
the value of the information to national defense and hence 


the seriousness of its unauthorized access or change. 
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Systems which handle Top Secret data have a higher security 
requlrement than those which handle data of lower 
classification. In a security requirement sense, 1 £ 
different levels of data classification exists, the security 
design problem increases since techniques must be 
implemented to isolate the different levels, provide the 
proper degree of security protection, and guard against 
unintentional or deliberate attempts to gain access to data 
at unauthorized security levels. 

Three levels of security requirements exist depending 
upon the classification of data in the system and the level 
of clearance of the user: (1) the data classification is 
all one level (such as Secret) and all users are cleared to 
that level. (2) different data classification exists (Top 
Secret, Secret, Confidential) with users of different 
Clearance levels, and (3) unclassified data exists with 
Classified data and uncleared users are allowed to access 
the unclassified data. The security requirement increases 
as data classificaticn and user clearance level increase in 


comrlexity. 


16 





V. COMPARISON BETWEEN HARDWARE, SOFTWARE, and PROCEDURAL 


-os a= = O a mee = = 


The comparison of hardware and software techniques 
identifies which security function can best be accomplished 
by each and whether combinations of these techniques are 
necessary to provide adequate protection. A comparison of 
manual versus automated systems procedures identifies the 
similarities between the two systems and the different 
approaches taken to perform the security function. Such a 
comparison provides a method to judge the relative value of 
automated techniques to achieve at least the same security 
level as manual systems. This section considers first the 
compariscn of hardware and software techniques which can be 
used for security purposes and then considers the 
similarities and differences betueen automated and manual 
system security procedures. 

Figures 4 and 5 provide a qualitative assessment of the 
relative merits and costs of the technigues discussed. 
These costs are divided into three areas. Costs for 
procedural techniques were not estimated. 

Response time - the cost incurred by every message input 
to the system expressed aS an effect on the length of time 
that a message .response is delayed by the processing 
required for the technique in question. 

Throughput - the cost incurred by the system expressed 
as the decrease in the amount of processing the system 1s 
able to accomplish in a given time period caused by the 
additional processing required for the technique in 
question. 

Procurement - the cost associated with each technique 
expressed as the degree of expense involved in develcping, 
Maintaining, and servicing the technique in question. 

The effect in each case is described as low, medium, or 


high, where lov is taken to mean less than 5 percent 
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increment in the cost of the system, medium to mean LEetteen 


5 and 10 percent, and high to mean more than 10 percent. 


O SOFTWARE TECHNIQUES 


The software techniques surveyed are descriked and 
compared in terms of the general threat to which they apply. 
Tne techniques are categorized by the major functional 


routines of an on-line system. 


ıl. User Interface 


The user interface is the point at which the user 
becomes known to and interacts with the systenm. тТиа 
secure system, only known users can be permitted access. 
The proper identification of the user is necessary for 
accountability and, in a system that allows multiple 
need~to-know access at aterminal, to determine the access 
rights tc be associated with the task that is initiated by a 
users input request. 

a. User Security Clearance 

The user security clearance is the assignment to 
each user of a code word indicating the highest 
classification level of data to which he has been authorized 
access. Generally, the code word consists of three bits, 
allowing for seven combinations, that are compared on a 
Simple equality test against the security classification 
code of the data. The assignment and maintenance cf codes 
are the responsibility of either the security officer, the 
data administrator, or support personnel. The legal pairs 
of user codes and data classificiation codes are maintained 
in most cases in a system table which can only be accesed in 
executive mode. 

D. User Access Privileges 

If it is necessary to link individual users to 


Subsets of the available data or processes, then scme type 
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Bo: Profile nust be developed either pointing to or 
specifically identifying the user access privileges. This 
profile may contain the identity or classification of the 
files available to the user, the manner in which the files 
сап Һе accessed (i.e., read, write, process, modify or 


erase) the degree to which access is permitted, the specific 


terminals from which the user may operate, and the 
particular processes he may execute (named Tcutines, 
standard jobs, or precompiled transactions). [Glasser 67] 


The user profiles themselves are maintained as a system 
flle, normally resident on secondary storage because cf its 
size. Because of its sensitivity, the data contents of the 
file are usually transformed. 
c. Password 

The password is the privileged identifier that a 
user must submit to obtain entry to the system. From a 
software standpoint, it is the only means of initially 
identifying a legal system user. Passwords may be required 
2577 0g-in, at both log-in and log-ont, or for every 
transaction executed. The more frequently the password is 
required, the less likely is the possibility that an illegal 
user will obtain entry but the more costly the user 
interface becomes in terms of its effect on the thruput and 
response time. Typed-in passwords range from 3 to 18 
alphanumeric characters in existing systems, are either 
fixed or variable in length and may contain blanks. No data 
was available on the format of voiceprint or key-pattern 
passwords. Passwords remain unchanged in some systems, are 
changed periodically in others, and are changed at irregular 
intervals in one proposed design. [Weissman 69] The more 
freguently the password is changed, the higher are both the 
maintenance cost andthe error rate. Passwords are either 
assigned, generated, or selected using some standard random 
numker generator. 

Although it has been shown that any password 


scheme can eventually be broken, the degree of difficulty of 
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doing so exceeds that of opening a 3-way 50-nunber 
safe-combination vhen the passvord exceeds five alphanumeric 
characters. Some systems attempt to detect password 
tinkering by assuming that a fixed number of consecutive 
illegal attempts (usually 2) from the same terminal is 
sufficient cause. Legal passwords are maintained in every 
case as a system table. 
d. Password Dialogue 

Since it is possible to eventually break any 
password scheme, several variations of the techniques have 
been suggested to obtain more foolproof identificaticn of 
legal users. One such variant is to require the user to 
engage in a form of dialogue with the system after the 
initial password is validated. This dialogue requires the 
user to provide responses either unique to himself (his 
payroll number in one case; another password in another 
case; a user defined item of personal knowledge in a third 
case) or to perform some relatively simple algorithm on 
either a system-supplied random variable or some transitory 
quantity (time of day, date, etc); the system performs the 
same algorithm and checks the validity of the response. 
[ Babcock 67] (e.g., system:"enter password", user: shazam, 
system:"OK. enter key", user: 3750094) Once again, the 
scheme is susceptible to penetration, but the level of 
difficulty has been raised significantly - at a cost in 
increased terminal response time and communication line 
loading. [Baran 64] 

e. Consecutive Password List 

Another variation of the basic passvord 
technique is to assign a list of legal fasswords to each 
user. The system will accept only the next password on the 
list each time that the user enters his password. This 
makes it extremely difficlt to obtain a legal password 
through either passive deliberate penetration attempts or 
active tinkering vith passvord combinations, but it also 


requires hard copy lists of legal passwords to be made 
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avallable to users and inevitably produces a greater number 
of erroneous entries by legal users. In spite of these 
drawbacks, consecutive passwords for each input has been 
accepted as an alternative to encrypted data links in one 
military system. {Weissman 69] 
£- Password Transform 
Since the list of legal passwords 1S considered 
to be extremely sensitive information, it is usually 
resident in core, and is frequently appended to program 
Status blocks. Several systems have taken steps to prevent 
its being obtained either deliberately or accidentally by a 
readout from core. These steps involve implementing various 
transformation techniques on passwords received. Huffman 
encoding is used in one system; a simple transposition of 
digits is used in another; an algorithm to produce 
non-reversible inversions is implemented in a third. 


[Petersen 67] 


2. Terminal Subsystem 
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Nearly all of the systems surveyed provided for 
on-line terminals and a significant part of the software in 
these systems is that associated with terminal 
characteristics. Less sljJjnificant, however, are the 
software techniques implemented to account for security 
requirements arising from remote terminals. Terminals must 
be discretely identified to insure that data is transmitted 
to the correct location. Terminals at remote sites are 
Susceptible to communication errors on transmission due to 
noise, may be easily expropriated for illegal use, and are 
subject frequently to public or semi-private display and the 
subsequent casual eavesdropping. 

a. Error Correction Methods 

The most obvious problem With terminals 
connected to a system through communication lines is the 


noise factor on the communication lines themselves. It 
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introduces the possibility that illegal values or errcneous 
addresses may be input in otherwise valid messages. Methods 
have been developed in many systems to reduce the effects of 
noise in transmission. They include hash totals ({i.e., 
cumulative adds) of characters or bits in the message; 
parity check bits and longitudinal redundancy checks to 
detect garbled words; and retransmission to compare 
duplicate results. 
b. Terminal Answerback 
Since it is possible to piggyback illegal 
terminals onto legal circuits, particularly in dialed and 
Switched network systems, methods have been developed to 
uniquely identify legal terminals. Often, the identity is 
established by comparing the expected terminal address to a 
hard-wired terminal identifier that automatically transmits 
mme., "answers back") an identification-key (20 
alphanumeric characters in the system where this figure was 
published) with each input message or in response to a 
request code preceeding each output message. [CDC 66] 
c+. Terminal Profile 
The classes of data and/or users that can be 
legally associated with a given terminal are defined in a 
terminal profile list. This list is an extension of the 
terminal address table maintained by the executive. It 
usually only describes the highest security classification 
of data that can be output to a given terminal. It may also 
include a list of specific transactions that can be executed 
from that terminal and/or a list of explicitly named users 
who may access through the terminal. [Weissman 67] 
d. Terminal Character Suppression 
Any on-line terminal that is used to input 
identification codes is susceptible to both casual and 
deliberate eavesdropping. There are two variations of a 
technique to reduce the vulnerability of input codes. In 
the case where hard-copy is used, the system strikes over 


the number of positions required for identifier codes each 
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time such a code is expected from the user. This provides a 
marginal degree Ol Protection. In the other case, a code is 
transmitted to the terminal to suspend printing or 
display-images on the text-line in which an identifier code 
is expected by the systen. 
e. Automatic Alarm and Disconnect 

If the system is able to detect that a terminal 
or a terminal connection is being used for (attempted) 
illegal input, it is necessary to provide an alarm to alert 
the control group and to isolate the suspect terminal from 
the systen. Obviously, the alert should include the 
terminal address. It could also include the nature of the 
attempted input. Since it may be advantageous not to alert 
the interloper that his prescence has been detected, the 
isolation of the suspect terminal in one suggested plan 
would still permit it to remain linked to the system by 
engaging the user in a series of questions and delays. In 
most cases, however, the terminal is disconnected and/or the 
keyboard is locked to prevent further communication. 
Bringing the terminal on-line again usually requires that 
the security officer or control group input a special 


dentifier code. 


3. Executive/Monitor 


The heart of any multi-programming system is the 
executive control routine. TOS the most conplex, 
sophisticated, and important component of the software. By 
its very nature, it is perhaps the most difficult to 
penetrate but then, it is undoubtedly the most rewarding. 
In this area in particular, procedural techniques must be 
relied upon. It is impossible to prevent support personnel 
from leaving "trapdoors" or potential entry points in the 
software and the need for integrity of and confidence in 
Support personnel iS paramount. Many of the techniques 


developed in this area also require parallel hardware 
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features. 
a. Privileged Instructions 
Given that the hardware has a master/user mode 
capability, the set of instructions that can be executed in 
the master mode are regarded as privilegded instructions. 
Since they are intimately involved with system 
control,(e.g., the setting and resetting of bounds 
registers, the initiation of channel commands, the loading 
of read/write address registers, the deciphering of internal 
and external interrupts) they have an immediate application 
to security requirements. They should be used sparingly and 
should be concentrated in a few easily associated routines. 
The routines should operate in priviledged mode as briefly 
as possible, branching to user mode to perform the function 
initiated. DisperSing priviledged instructions in many 
executive routines simply improves the chances for trapdoors 
and illegal circumvention. 
b. “Relocatable Bootstrap 
If it vere possible to bypass protection keys 
and to gain access to areas of memory normally reserved for 
the executive and its tables, then it would also be possible 
to read any of the access lists and authority tables 
controlled by the executive. One technique suggested to 
reduce the likelihood of this occurring is to perform 
bootstrap loading. of executive routines from a changing key 
address. In this manner, executive routines and tables no 
longer have absolute locations relative to each other and to 
the user partitions, and only haphazard location cf the 
secured routines would be possible. Because of its 
potential effect on the efficiency of the systen, the 
technigue has only been discussed. [CDC 66] 
c. Redundant Coding 
Since it is possible to modify code pricr to 
loading, it has been suggested that key routines exist as 
multiple, discrete copies, and that requests for the 


services of these routines be executed in parallel by each 
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copy. The results can then be compared, including nunter of 
instructions executed. The effective cost of this approach 
is high even in a multiprocessing system, but it further 
insures that key security routines cannot be modified or 
executed without detection. (Holho 70) 
d. Module Dialogue 
In any calling sequence, the parameters passed 
between modules are usually specified as a part of the 
standard call macro. It has been suggested that this be 
modified some-what in those cases where it is feared that an 
interloper may substitute his own code for a system routine. 
At random points in the routine in question, private call 
parameters known only to the programmer responsible for that 
routine can be inserted. The routine called (or calling) is 
also prepared to expect the ainterpersed dialogue words. 
Since these would be difficult to detect in absolute code, 
it would raise considerably the level of difficulty 
associated with making such code substitutions. 
e. Program Interpretation 
Since it is difficult to detect subtle changes 
in absolute code, it has been suggested that programs be 
loaded through an interpreter at all times. If the 
interpreter includes some kind of code cptimizer, each 
version cf a program in its absolute code form would be 
Slightly different than the preceding one. In this way, not 
only would it be difficult for a penetrator to modify or 
decipher program routines (except as a one-time event), but 
it would also be difficult for the programmer himself to 
take advantage of fixed relationships in his program that 
mlght permit the introduction of trap-doors. 
f. Centralized I/O Control 
This is a fairly common technigue employed by 
most third-generation systems. It separates application 
programs from direct address references to I/O devices and 
instead requires them to submit macro commands that deal 


with the device as a logical, virtual, or relative extension 
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of memory. The executive then generates and performs the 
physical I/O commands and thereby is able to maintain 
control over boundary establishment and limited units of 
location. Without the equivalent hardware capability to 
trap to mcnitor mode whenever privileged instructions are 
attempted, this approach cannot be validated. 
JETT Or Monitors 
In a system with many users, the cost of 
maintaining security can increase significantly if the user 
errcr-rate is high. This technique is intended to maintain 
a rating of the capability of individual users to perform 
the procedures associated with inputting valid transactions. 
If their errcr-rate increases beyond a predetermined level, 
then their priority in the system is decreased. The ccst of 
maintaining this scheme 1S guite high however, since it 
requires some corresponding method to re-evaluate and to 
certify the user's capability. 
hüğ.Errtor interrupts 
Any attempt to perform an illegal operation, to 
address some location outside of assigned boundaries, to 
input erroneous data, etc., should be the cause of an error 
interrupt. The routines to handle such interrupts can 
attempt to correct the error and resubmit the request, abort 
or suspend the user in question, alarm control authorities, 
or regard the error as acceptable, flag it, and continue 
processing. Once it is determined in monitor mode what the 
interrupt is, any further processing to deal with it should 
be performed in user mode to reduce the occasions for 
illegal execution of privileged instructions. 
i. Executive Commands By Access Rights 
This technique associates a category code with 
all executive command routines and restricts their direct 
use to only the subset of users cleared to the equivalent 
category of access. 
ј. Boundary Maps 


Boundary maps are the legal units of allocation 
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assigned to given users. They represent the direct input to 
base and limit registers that determine the domain in which 
a user can be active. Boundary maps in most cases are 
stored with the user in question and represent a potential 
means to illegally extend the accessibility afforded a given 
function should they be modified. [CDC 66 ] 
k. Memory Access Keys 

In a page or segment-oriented system, there are 
usually lock registers associated with each physical page in 
memory. When a user ls assigned to memory, his identifier 
is used to generate a unique key that is loaded intc all of 
the page registers assigned to the particular user. An 
address reference to the protected pages cannot be made 
unless it contains the appropriate key-pattern in its own 
key register. Obviously, selected executive routines must 
have a universal key. Setting and access to the key 
registers should be a privileged function. [IBM 67] 

Security Monitor 

The security monitor is a technique that 
attempts to certify the validity of the various protection 
mechanisms in a system. At its simplest, it consists of a 
set of on-line diagnostic routines that exercise the various 
hardware components in a configuration, expecting a valid 
operation tc produce a pre-designated result. In a more 
complex form, it attempts to deliberately execute illegal 
hardware or software operations and then determines whether 
or not the responsible protection mechanism has successfully 
intercepted and handled the illegal attempt; this version 
can have a significant effect on system thruput and, 
therefore, requires a careful consideration of what are 


acceptable and expected failure levels. ( Molho 70) 


ü. File Handler 
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The data available in any system is the reward for 


penetrating the system. The data available in an automated 
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system significantly increases the potential reward because 
Of the large amount, the anonymity of access, and the 
wn i culty of detection. Data protection is traditionally 
obtained by assigning responsibility and limiting access. 
Techniques to accomplish both are available in automated 
systems. At least the same level of protection can be 
obtained in an automated system as in a manual system. 
a. File Classification Code 

This technique is commonly employed in most 
eeens that deal with formally classified data. It simply 
involves assigning one of the categories of classification 
to each data file and then either assigning the file only to 
jobs or individuals of equal or higher clearance, or, in the 
case of shared files, releasing data from the file only to 
users of equal OL higher clearance. A somewhat 
adventuresome extension of this technique is to attempt to 
automatically assign classification levels to new files. In 
one systen, this is done by using the highest classification 
feo contributing files. { Weissman 69] In a proposed 


scheme, ıt is done by doing a key-word count and weighing 


the file in accordance with the number of key-words 
encountered. (Daley 65) In neither case vas it shown to be 
statistically more or less effective than manual 
Classification, except in the marginal area between 


Miewassified and confidential. 
Besser nlesnccess Liste By File 

An extension of the file classification ccde is 
the assignment of specific authority lists to each file. 
These lists describe the original creator (or owner) of the 
file, other individuals, group, terminal, etc., who can 
share the file, usually the manner in which they can access 
the file (read, write, modify, execute, or erase), and the 
degree to which access is permitted. At the file level 
iy, 16 Corresponds to the cataloguing function of most 
third-generation systems. [Glasser 67] 


C. File Access Lists By Level 
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An extension of the previous technique that 
permits it to be used in a more flexible environment than 
that descriked by formal discrete files is to assign access 
tists to levels of files, or to individual modes in data 
sets. This ls especially useful if the files consist of 
programs arranged in some kind of hierarchy from common 
(free) utility routines to machine-oriented (owned) system 
routines. The cost of maintenance, particularly the 
determination of access privileges is quite high. [Babcock] 

d. File Access Profile 

If a number of users with different need-tc-know 
interact with a shared set of data, it is necessary to 
distinguish the data rights of each user. This is 
accomplished by assigning to each file descriptor a profile 
1250 that contains a set of flag-bits, each flag-bit 
representing a unique need-to-know identifer. Три sehe 
systems utilizing this technique, separate profile words are 
assigned for read and update access. There is associated 
with each user's profile an equivalent word with the 
need-to-know flag assignment according to his requirement 
for data. A one-to-one correspondence between user and file 
profiles at each flag position is required before access is 
permitted. [Bingham 65] ~ 

e. Data Element Classification Code 

This is identical to "file classification code" 
except that each data element in the file is separately 
classified. The system can then handle files with mixed 
classes of data- This feature greatly reduces the 
redundancy associated with file processing since it permits 
the grouping of data by functional purpose and utilization 
rather than by classification. However, it raises koth the 
cost of creating files and the cost of assigning 
andmaintaining classification categories. [Weissman 69] 

Er Data Element Profile 
This technique is identical to "file access 


profile" except that the system can now discriminate among 
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meed—-to-know at a finer level of detail. It 15 usually 
impleneted by assigning an update word and an access word to 
each data element descriptor; these words have particular 
settings according to their class. Users with matching 
need-to-know patterns are permitted access to the data 
element. The bit-patterns are combined to form a composite 
need-to-know profile for each data request. In a fev 
instances, the data element profiles also contains legal 
values of a data element that are accessible by a given 
277 of users. | 
g. File Encryption, Single Key 
Techniques ror encrypting data have been 
suggested for use in flle handling systems. In most cases, 
these are variaticns of cryptographic techniques applied to 
communication transmission, and consist of applying a Single 
key to all records inthe file. However, because of the 
large number of records in most data files and because of 
the rather consistant pattern of field occurrences, this 
type of file encryption only provides a marginal increase in 
protection. Depending on the amount of character 
manipulation in the crypto technique, CPU thruput “cost can 
be quite high. [skatrud 69] 
Dile Encryption, Multiple Key 
A variation of the proceeding technique that 
reduces the possibility of deciphering is to use a different 
key (either a cascading or random number sequence) for each 
meccrd or for certain number of records. This breaks the 
consistency of the encoded data and does not significantly 
affect the cost of encoding/decoding process. [Van Tassel 
69] 
i. Data Edition Number 
In a system where multiple users are 
concurrently updating a set of shared data files, it is 
necessary to prevent one update sequence from intruding on 
another. A suggested tecnhique jis to assign an edition 


number to every record in the data base. Each user contains 
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the latest version of this edition number in its associated 
data buffer. When a retrieved record is to be written back 
into the data base, the file handler checks the user's 
edition-number against the data base edition number and only 
permits the update if the edition numbers are the same. The 
file handler also updates the edition number. [Corbato 65] 
nemo LOock- Write Collision 

This technique addresses itself to the same 
problem as above, but does not attempt to control the 
interaction at the record level. Instead of an edition 
number a klock-busy flag is assigned to each file segment. 
When a segment is retrieved for update, the block-busy flag 
15 set, as are all antecedent blocks in the structure (or 
only the highest level block if the entry point is always 
top-down through the same index). The busy-flag is left on 
until the user has indicated completion of the update and 
the file-handler has modified the affected index blocks. 
meabcock 67 ] 

k. Ring Structures 

Ring structures are a comblnation of logical 
layers, cr rings of data grouped by sensitivity, and 
identifiers associated with each user that describes the 
equivalent sensitivity of the user. It is permissable for a 
user to access and/or execute any data or routine in its own 
ring. When a call is made to a segment in another ring, the 
system traps to a gate controller, which determines if the 
felled ring is more or less sensitive. If the sensitivity 
is less, then the call is linked to the ring in question. 
If it is greater, then a check is made of the access list 
associated with the requested segment. This list identifies 
legal users (or classes or users), and indicates the type of 
access and the particular entry point at which they may use 
the requested segment. The gate controller then establishes 
the required linkages. To prevent repetitive calls to the 
gate controller, upper and lower bounds can be assigned to 


each type of access for any user; requests to any rings 
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within those bounds are automatic and equivalent to 
operating within the ring of the requesting user. The 
system that implemented this technique had special hardware 
registers to check the ring-brackets of segment requests. 
( Glasser 671 


5. Others 
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Varicus other software techniques vere enccuntered 
during the data collection phase that do not conveniently 
fit into the preceeding categories. For the most part, 
these techniques have to do with using the automated system 
to simplify or extend some of the procedural requirements in 
a secured systen. 

a. Document Log 

Some systems automatically malntain an 
accountability log making an entry each time that a 
classified report is related to a user. This log includes 
the date and time of the original request, the parameters 
specifying the report extraction criteria, and the terminal 
and user identification. The security log is available only 
to an identified security officer. 

b. Erroneous Attempts Limit 

This technique is applied © at several 
intersection points between a user request and system 
Function. 5107775 potential interloper can tinker with 
legality checks at any one of these points, it is necessary 
to set some limit on the number of consecutive illegal 
inputs that will be accepted from any user. Some tyre of 
on-line monitoring is required to record or link the 
sequence of requests. 

c. Aggregate Techniques For Reports 

A serious problem in on-line system is the 
possibility that even though a user cleared to a low level 
of access can only access data legally classified at or 


below his level, the aggregation of all data accessed can 
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provide the basis for interpretive conclusions about higher 
classified information. Techniques have been suggested that 
would combine the access profiles (data element profile) and 
all data elements contained in the report into a new frofile 
that would yield a restricted classification of the report 
on a need-to-know basis. However, this cannot prevent 
inferences from data, and more work is needed in this area 
to determine if some kind of weighting of information 
content might be possible. [Feige 69) 
d. Overwrite And Memory Erase 

Any magnetic recording medium retains an 
electromagnetic image of the recorded data for some time 
after the initial impression. This residue can be read 
directly, albeit inadvertently, if access to the area is 
obtained or picked up through passive deliberate penetration 
attempts. Since both primary and secondary storage in most 
on-line multiuser systems is considered to be virtual 
memory, it is entirely possible that an area in which 
classified data had been stored and processed could be 
reassigned to a user having a lower classification level. 
To prevent this, methods have been developed to overwrite 
primary memory by cascading or leapfrogging thru the area 
and writing a system constant (usually zeros) after the 
memory space is deallocated. The confidence in this 
technigue is increased if it is procedurally established 
that every user routine fills its scratch area with a 
se rent constant. In Only a few systems is the same 
approach used for secondary storage, since the time required 
to overwrite deallocated file space on a peripheral device, 
particulariy one with a single read-write head, can be 
considerable. If a centralized data manager is used by all 
system users for handling data files, it is conceivable that 
reallocated space can safely be maintained as "dirty" 
storage because it is not logically valid to read empty file 
space. 


e. Classified Programs 
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This technique is used in batch oriented systems 
where, to the system, a user consists of a set of programs 
and their associated data files. Since the programs are 
designed to suit this single set of data, they take on the 
classification of the data and can only be called or 
modified by job control statements input with the proper 
classificaticn leader. 

£. Classification Headers and Trailers On Hardcopy 
and Displays 

This technique is an extension of the current 
procedural technique of stamping at the top and bottom of 
every classified page of a report the classification level. 
It is usually a parameter option in the report generation 
routine. 

IE le” Log 

The file log is an extension of the security log 
in which every reference to classified data is logged. Jar 
can include the previous data image if the reference causes 
a change. It also usually includes the terminai, user, 
time, data, and data parameters associated with the 


reference. 


Be HARDWARE TECHNIQUES i 


Many of the hardware techniques required for security 
purposes have been implemented in third generation 
commercial computer systems and in some military computer 
systems. The surveyed technigues are assigned to categories 
that correspond to the major devices and components in an 


on-line systen. 


77: 7:  ::: Ercocessi 7? Unit (CPU) 


Security related techniques in the CPU provide 
Control of the logical processes to access and change data. 


Techniques that isolate and control the operaticn of 
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programs and access to data, provide for recovery from 
hardware failure, and allow centralized error checking of 
programs and data access are also applicable to the security 
of the automated systen. 
a. Processor Mode, Privileged Instruction Set 
Present third generation computer systems have 
implemented multiple modes of operations differing in the 
ability to process available instructions and in memory 
access restrictions. “Typically, the system may operate in 
one of two modes: the control (executive mode) or the user 
mode. The processor will not execute a privileged 
instruction unless a processor mode register is set to the 
control mode. In the user mode, privileged instructions 
cannot ke executed and memory accesses are restricted to 
those which were assigned while the processor vas in the 
control mode. In the control mode, all instructions can be 
executed and all memory accessed. Should a privileged 
instructicn occur in a user program or a memory access be 
attempted outside the allocated area, an interrupt returns 
control to the executive program. User programmed entry 
into the control mode is possible only by use of an 
executive request or monitor call instruction. Programmed 
exit to user mode from control mode is accomplished by 
executing a return-to-user mode privileged instruction. 
5 “cock 671 
b. Core Memory Bounding (BAR, Lock and Key, Paging) 
Three major hardware techniques are used to 
limit core memory access of user programs to a bounded or 
allccated area established by the executive program. The 
base address register (BAR) containing upper and lover 
linits of allovable core memory access is used to insure 
that after indexing or indirect memory addressing, the 
hardware memory address is within the bounds of core memory 
assigned by the executive program. The lock and key memory 
bounds technique is implemented by the executive assignment 


of a key word to user programs and to memory areas that 
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defines the authorized core access area for that user 
progran. The key word is automatically checked in the core 
memory before any access is allowed. The third method, 
paging, uses the key word designated by the executive as 
part of the hardware memory address and access is physically 
impossible outside the bounded core memory area. The 
techniques vary in terms of hardware cost: The base address 
register the lowest; lock and key, intermediate; and faging 
the highest. 
c. Process Control Register (Read/Write/Execute) 
The control of the right to read, write, or 
execute data has been implemented utilizing the basic method 
used for memory bounding. Flag bits are used in the 
associated memory pounds register to indicate the rights of 
the user program to read and/or write into core and to 
execute program instructions in a given memory area. 
dä. I/O Control Registers and Mask Register 
The loading of I/O control registers and I/O 
mask registers allows the centralization of all input/output 
to executive control which is essential to the effective 
isolation of user programs and data. The mask register 
provides an effective means of controlling different types 
Seeonterrupts including those associated with inadvertent or 
deliberate attempts of uSer programs to perform unauthorized 
actions. 
e. Parity 
Parity, generated for the transmission of data, 
is checked by receiving units. A single parity bit detects 
any single or odd number of bit errors in the word 
ls i C i r or bit group) in which it is included. It is 
used in most third generation computers to provide a method 
to detect hardware errors in all parts of the computer 
system. Detection of a parity error causes an interrupt to 
the executive mode. [Molho 70] 
er urity Control Flag Bits 


1675777 Bates in programs and data fer the 
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purpose of indicating security level ıs a technique which 
has been suggested but not implemented in any of the systems 
surveyed. The flag bits in each data word would indicate 
the security level of the data and the class of user who 
25010 read or Write the data word. The flag bits in program 
instructions would govern execution of the program. Both 
hardware andyor software control has been suggested to 
interpret the flag bits. The high cost in additional memory 
to store these extra bits has been cited as one of the 
reasons why the technique has not been inplemented. Scme of 
the more advanced systems have implemented the use of flag 
bits with software interpretation at the control word level 
rather than the individual word level. 
g. Code Redundancy 

The use of extra bits to provide code redundancy 
to enhance the capability to correct errors or to ketter 
identify errors has been suggested but not implemented for 
key control instructions. The mode control register and 
memory bounds register have been suggested as areas where 
code redundancy should be used. [Molho 70] 

h. Redundant Key Registers and Logic 

The technique of using redundant registers for 
mode control and I/O channel control has been suggested but 
not implemented. The use of multiple registers that would 
cause an errcr interrupt if they did not agree would insure 


the proper functioning of these key controls. 


2. Main Memory Module 


The control of access to the main memory module is 
necessary for proper security control in an automated 
systen. All programs and data that will be accessed must 
ultimately reside in the main memory. Centrol of main 
Memory areas in some systems is accomplished by the CPU, in 
others by a combination of CPU and memory circuits. 157 


all data and programs are read from the memory, the 
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integrity of data in the memory is paramount. Hardware 
failures must be detected to prevent the possibility of CPU 
execution of changed code with unpredictable results. 
a. Parity Logic 
The memory unit checks and/or generates parity 
bits for storage in order that odd bit failures can be 
detected. A parity failure causes an interrupt to the 
executive mode in the CPU. 
b. Key Word Register 
In lock and key memory protect systems, the 
memory compares the key flags of the access request with 
those set by the executive in the key word register. This 
prevents unauthorized read/write execute access to memory 
fOr “ata or prograns. 
es Read Only Memory 
Read only memory is used in some systems for key 
control programs to provide protection against unauthorized 
change tc programs or data. The higher cost of such 
memories has limited their use. 
d. pedicated Memory 
The use of separate memories for different 
classes of users has been suggested to provide security of 


£ j. ic даса. Бисһ a system requires control by an 


executive program. The physical separation of data into 
separate dedicated memories also requires correlation 
software techniques to code data. Plug-in dedicated 


mencries for special programs and data such as security 
access lists and security monitor programs have been 
proposed but not implemented. 
e. Memory Block Erase 

A special instruction and associated hardware to 
clear a specified block of memory has been suggested in 
order to clear residue from a task upon completion of that 
task. This procedure would insure that classified data is 
destroyed before nemory is reallocated. This prevents core 


dump instructions at the beginning of the new user program 
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from outputting the previous user's data. 
f. Associative Memory 
An associative memory allows the retrieval of 
data or programs based upon a code match rather than a 
hardware address. It has been suggested as a technique that 
could be used to retrieve data or programs based upon a code 
designation of the data or program class. Large associative 
memories have not been implemented in systems because of 
fede high ccst. 
q. Memory Partitioning Ports 
The use of special dedicated ports or paths into 
dedicated blocks of memory has been suggested as a method to 
isolate special classes of data. The special ports could 
only be accessed by a Special set of priveleged 


fas tructions. 


5577 ./0 Control PLrocessor 
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m uu Ори control processor (IOCP) provides 
the hardware interface with mass memory (disc, drums, tapes, 
card reader/punch) and with the systems user (printer, 
display, communications lines, etc.). Data is transferred 
between thcse externai units through the IOCP to the CEU and 
main memory. The IOCP features which are particularly 
important to data security are the registers and logic that 
route the data between the proper external device and the 
proper main rmenory core block and CPU. 

a. .1/0 Bounds Control 
The CPU provides the starting address and either the word 
count or ending address for any data transfer between 
external devices and main memory. The IOCP, through bounds 
control, insures that the data is transferred to the 
allocated block of memory. Each address is automatically 
checked to insure that it is within the address bounds. Any 
address outside the address block causes an error interrupt 


227-h1c executive mode. 
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b. Unit Address Register 
The unit address for outputs of data is 
furnished to the IOCP by the CPU. Unit select gates ccnnect 
the appropriate unit buffer in the IOCP based upon the 
Contents of the unit address register. For data input, 
demand queueing is processed by the CPU which furnished the 
IOCP with a control word defining the allocated memory block 
for the input. 
677:10CP Parity Check 
Inter-equipment address, data transfers and unit 
address control vord parity checks provide the capability of 
detecting single failures and preventing the misrouting of 
data. 
d. 1/0 Channel/Nunmber Character Check 
Logic has been suggested but not implemented to 
provide a means to identify misrouting of data in the IOCP. 
Before any data is released to a channel, the channel nunber 
terminal device would be checked by the CPU. A character 
count register would be set to allow transmission of a 
specified number of characters and decremented to zero as 
characters are transmitted. At zero count, the channel 
number would again be checked and the character count 
register reset. This procedure insures that data is being 
input/output on the correct channel and, in case of 
malfunction, limits the amount of data released. 
e. 1/0 Security Level Register 
This 1/0 register vould check a record control 
ASI ty code word against a channel security level code. 
If the classification level of the control vord vas higher 
than the channel level, an interrupt vould be generated. 
This channel security level check has been suggested but not 
implemented. 
f. Channel Number Check Logic 
This technique requires that the channel controi 
word from the CPU to the IOCP be transmitted twice and 
Matched ty dual registers in the IOCP before data is 
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transmitted on the channel. A mısmatch causes an error 
interrupt. The technique has been suggested but not 
irplemented. 
g. 1/0 Ansverback Check 
This suggested technique utilizes hardware which 
requires answer back identifying the receiving terminal unit 
before allowing any transmission to the terminal unit. The 
answer back terminal unit identification is checked for 
match against the original contrcl word in the IOCP before 
data is transmitted. 
h. 1/0 Memory Eraser 
The IOCP provides the capability to clear a 
block of memcry of residue from a previous use of the space. 
A control word from the CPU specifies the main memory block 
address. The IOCP then cycles through the block addresses 
transmitting all zeros to the block address. At the end of 
the block, the IOCP generates an interrupt to the CPU that 
identifies the block as being cleared. This technique could 
be used in CPU limited systems instead of a software 
routine. 
i. I/O Code Redundancy 
Additional bits over those logically required 
could be used for terminal addressing. This would provide 
the capability of error detection and error correction. 
Additional hardware error detection and correction hardware 


would be required. 


4. Direct Access Henory Controller 


— DA — < m= s m = — — ee 


The majority of the data and programs are stored on 
direct access memory (disc, drum, tape) and transferred to 
the main memory when required for processing. Physical and 
electrical control of access to these devices 1S necessary 
to insure security. Electrical access to the devices is 
through their controllers which provide for record address 


location and read/write execution on the device. 
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a. Read Only Lock 
Logic and switches on the controller provide the 
capability to allow read only access on specified tracks of 
disc and drum. n specified tracks of disc and drum. These 
switches are set to read only or read/write at system setup 
time. tape drivers can also be set to read only by write 
disable switches. 
b. Record Address Check 
The controller checks for parity of each word as 
it is read from the device. A parity error generates an 
Serer interrupt to the IOCP. 
e )Gaeck Sum Logic 
The controller counts the bits ina given record 
and checks this total against a total entered at the 
beginning cr end of record. If the total does not agree, an 
error interrupt is generated. This technique allows the 


detection cf unauthorized change to records. 


Gig oan e and Local User Terminals 


w “mm oe =  - «dfn — IF nn — - wa — e — = mms s= “anam a= sp x ağını dan qırımı qanı = doru. 


The computer system terminals are the means used for 
communication between the automated system and the user. 
Access to the terminals and user capabilities allowed at the 
terminals are the key security control features. The 
hardware security techniques identified at the terminals 
provide means to limit access and control user capabilities. 

a. Cryptographic Devices 

Cryptographic devices are used to automatically 
encode and decode data on communications channels. The 
techniques used in the devices are highly classified and 
require a special engineering discipline. Therefore, it 
becomes a cost-effective decision as to the use of 
cryptographic hardware devices. For communication channels, 
cryptographic techniques are the only known practical method 
to prevent access to data by radition or wire tapping. (Van 
Tassel 69] 
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b. Hang Up and Dial 
This technique provides logic that transmits a 
request from the terminal for computer services. The 
computer then requests a verification of the request from 
the terminal. An identification code is automatically sent 
that confirms the terminal request. Separate lines have 
been suqgested For the transmission of the two 
identificaticn requests. In some systems, a telephone 
confirmation by computer support personnel is used for the 
verification of the on-line terminal request. [Petersen 67) 
c. hey Pattern Generators 
Several techniques to identify individual users 
have been suggested. Identification card readers are used 
by a few systems. Voice, fingerprint, and combination lock 
code generators have been suggested but not implemented for 
the generation of individual key patterns. The key fatterns 
are transmitted to the computer system where access rights 
to data and programs are authorized on the basis of the key 


pattern ccmparison. 


6. General Techniques 


Some of the hardware techniques apply to more than 
one of the subsystems of the computer. They are described 
in this section. 

a. Combination Lock or Lock And Key 

The physical securing of key parts of the 
computer system by combination lock or lock and key has been 
suggested as a method to limit access to critical circuits. 
The circuits suggested for this protection are the power 
Circuit at terminals, read only switches on mass memory 
57:1c666, the cabinets that contain the IOCP, CPU, core 
memories, and dedicated plug in memories. 

p. Dual Hardware Access 

This technique would require the simultaneous 


insertion of keys by more than one person to gain access to 
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key hardware components. 
c. Data Destruction Techniques 

The problem of quickly destroying classified 
data in cases of seizure of a computer area or a remote 
terminal is a security problem in both automated and manual 
systems. The problem is not an easy One Since large volumes 
of data must be destroyed in a short tine. The sequential 
writing of a random number stream on to data files does not 
prevent residual effects on magnetic storage devices, but 
would make data recovery much more difficult. Physical 
destructicn of devices, depending upon the level of 
destruction, could destroy the data involved. The 
degaussing of the mass storage devices is a possibility but 
could require too much time or unreasonable power levels. 
Jt is felt that further study is needed to identify 
reasonable and practical methods to provide for protection 


from the threat of area Seizure. 


C. HARDWARE AND SOFTWARE COMPARISONS 


Effective on-line control to prevent one user's programs 
and data from being accessed or changed by other user's 
programs can be achieved by hardware techniques. The use of 
a processor mode, priviledged instruction set, and memory 
bounds provides .the tools for effective isolation of 
prograns and data. The effective on-line control of files 
or data from unauthorized access can best be achieved by 
software techniques. The use of user profile tables 
(contains user code identification, program rights and 
clearance level) provides an effective means to ccntrol 
access tc programs and data. Software programs can also 
provide security monitoring and security logging of all 
access or changes to data and programs. [Carrol 71] 

Either software or hardware techniques can be used for 
communications channel coding of data, the clearing of 


residue data from main memory blocks, terminal user 
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identification, detection of unauthorized change to data on 
direct access memory, and proper 1/0 routing. 

Software and hardware techniques both are considered 
necessary for recovery fron softvare failures, and if 
required, the effective isolation of Support user's access 
to data and programs. The isolation of support personnel 
from access to data and programs is the most difficult 
automated security technique to implement. The hardware 
technigues reguired consist of processor mode and privileged 
instruction set and could include the use of dedicated 
memory. Software techniques for isolation that have been 
Suggested but not implemented include relocative boctstrap, 
redundant coding, module dialogue and program 
interpretation. 

Figure 6 gives a summary of comparisons between hardware 
and software techniques. The table shows the security use, 


applicable techniques and remarks on major impact. 


O PROCEDURAL TECHNIQUES 


Procedural techniques are required to set up, maintain 
and monitor the automated security system. They apply as 
well to protecting data in the form of hard copy reports as 
they do to protecting it in the form of backup tapes and 
disk packs, program listings, program decks, common data 
pools, and user ID-lists and passwords. They are needed to 
75 “blish the manual as well as the automated methods by 
which the four functions of security are accomplished. 
These four functions are classifying and declassifying data, 
providing the means to safeguard the data, providing for 
proper accountability, and allowing the dissemination of the 
data on the basis of a need-to-know. [Wasserman 69) 

The security that is obtained in any system utlirately 
rests on the responsibility and trustworthiness of the 
individuals who are associated with it. There are, 


therefore, two primary procedural technigues that transcend 
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the four functional area and apply equally to every aspect 
27 System activity. The first is to guarantee that the 
requirement to set up, maintain and monitor the system is 
accomplished only by those designated to perforn the 
indicated function. The second is the formal establishment 
by law of personnel responsibility for the safeguaräing and 
dissemination of classified qata, Bach person is 
responsible to safeguard classified data or programs made 
available tc him for the performance of his official duties 
and to limit dissemination of that data to only those with 
proper security clearance and need-to-know. These two 
principle procedures are implemented formally in all 


government and in several commercial systems reviewed. 


1. Classifying and Declassifying Procedures 


ли ид ә A 


Procedures are available that allow the assignment 
of security classification to designated individuals at the 
file and program level. In some systems the user profile 
table specifically allows the authority to 
classify/declassify given files. In all systens, the 
ability to classify/declassify files and programs is only 
permitted to the individual of highest level security 
authority in the installation, usually the system security 


erficer,. 


2. Safequardinq Procedures 


All systems use secure area protection for central 
computer areas and remote classified terminals. Access 
lists are maintained to allow entry into these areas. The 
establishment of such access lists is the designated 
responsibility of the system security officer through formal 
submittal to the security authority. in addition, this 
officer is charged with the establishment and maintenance of 
user/terminal profile tables that provide the authority to 


access data and files and the assignment of personal ID 
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and/or code words to authorized users. These should 
preferably be assigned in a random manner and at random 


üntervals. 


Procedures are available to provide periodic reviev 
Siaccess logs, security monitor logs, record countsycheck 
totals and file logs. Such reviews are the responsitility 
of the system security officer or data adminstrator and are 
25100 for at stated periodic times. Document signout 
procedures similar to that used in manual systems for 
classified data are used for hard copy classified material. 
An inventcry of all hard-copy classified material back-up 
tapes disk, packs, program listings and card-decks is 


conducted on a periodic basis. 


4. Dissemination 


The dissemination of data in automated systems is 
based on user/terminal profile tables in some systems and on 
the use of access lists in others. The system security 
officer is responsible for the preparation and maintenance 
of the table and lists. In systems that use. passwords or 
code words, procedures are eStablished for the dissemination 
of the current codes on a periodic basis to those authcrized 
users. These procedural techniques are applicable to any 
system, Since they are a common requirement for providing 


adequate frotection. [Wasserman 69] 


E. MANUAL AND AUTOMATED PROCEDURAL COMPARISONS 


A comparison of procedures used in automated systems 
versus those that are used in manual systems provides a 
method to judge the relative value of automated technigues 
that are common to both as well as those which are 


analogous. In both automated and manual military systems 
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procedural techniques are used to (1) secure access where 
Classified data 15 used, (2) to assure proper clearance of 
Personnel, (3) to classify, access, disseminate, and control 
—  Zied data, and (U) to protect classified data during 
transmission by cryptographic secure communication lines. 
The addition of automated techniques to increase the 
reliability of these procedures could be viewed as an 
attempt to increase the security of automated systems over 
that of manual systems. 

Analogous teckniques used in the two systens are (1) 
data storage procedures, (2) data access procedures, (3) 
Mee access accounting, (4) storage check procedures and, 
(5) inventory procedures. 

Data access procedures in a manual system are based upon 
access lists and personnel identification. In autcmated 
systems, access to data and files is based upon 
user/terminal profile tables and the reguirement to submit 
the proper code word. Other technigues have been suggested 
such as fingerprint and voice code pattern generators. 

Data access accountability in manual systems is 
performed by document sign-out. In automated systems, logs 
of file access by user or terminal identification can be 
kept automatically. Daily safe checks are used in manual 
systems to insure storage integrity. In automated systems, 
the access logs and security program reports can be reviewed 
as often as desired. Periodic inventory is used in manual 
systems to insure documents have not been lost or stolen. 
In automated systems the files are reviewed periodically, 
check sum totals are used to insure data integrity, and all 
security logs are reviewed. The conclusion is that the 
automated system with the use of modest security techniques, 
can provide a greater level of security than is possible in 


a manual systen. 
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VI. CONCLUSIONS 


It 15 important to understand what present technology 
Band cannot do in protecting classified information in a 
resource sharing system. Present technology offers no way 
to absolutely protect information or the computer operating 


system itself from all security threats posed by the human 


beings around it. As a consequence, procedural and 
administrative safeguards must be applied in 
resource-sharing computer centers to supplement the 


protection available in the hardware and software. 

Security control in a computer system, especially a 
resource sharing one, is a system design problem, and 
solutions to it must be based on a systems point of view. 
The future of data bank security lies in designing a system 
With adequate protection which is not so complex or 
expensive as to discourage its use. In prınciple, the 
number, type, and depth of security controls in a system 
Shovld depend on the sensitivity of the information in the 
system, cn the class of users being served, on the 
geographical distribution of the system, on the nature of 
the service that the system provides its users, and on the 
operational situation that the system supports. 

The system designer must be aware of the totality of 
potential leakage points in any system in order to create or 
Describe techniques and procedures to block entry and 
ploitation. The security problem of specific computer 
systems must be solved on a case-by-case basis employing the 
best judgement of a team consisting of system programmers, 
technical, hardware, and communications specialists, and 


security experts. 
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